refactor(module): require AoT and provide those instead of checking lune require

modules/sandbox.luau

@@ -1,11 +1,14 @@
 local fs = require("@lune/fs")
 local luau = require("@lune/luau")
 local process = require("@lune/process")
+local serde = require("@lune/serde")
 local stdio = require("@lune/stdio")
-local processArgs = table.clone(process.args)
+local task = require("@lune/task")
-local filePath: string = table.remove(processArgs, 1) or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]")
+
+local processArgs = table.clone(process.args)
+local filePath: string = table.remove(processArgs, 1)
+	or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]")
 
-local DEFAULT_REQUIRE = require
 local DEFAULT_PRINT = print
 local SANDBOXED_ENV = {
 	debugName = filePath,
@@ -18,6 +21,28 @@ local SANDBOXED_ENV = {
 	},
 }
 
+local PROMPT_MSG_TMPL = `allow {SANDBOXED_ENV.debugName} to access %s?`
+local DENIED_ERR_TMPL = `{SANDBOXED_ENV.debugName} tried to access disallowed library %s!`
+
+local function constructSandboxMt(requirePath: string)
+	return function(self, key)
+		local module = require(requirePath)
+		return module[key]
+	end
+end
+
+local function constructProtectedLibMt(libName: string)
+	return function(self, key)
+		local allow: boolean = stdio.prompt("confirm", string.format(PROMPT_MSG_TMPL, libName))
+
+		if allow then
+			return constructSandboxMt(`@lune/{libName}`)(self, key)
+		end
+
+		error(string.format(DENIED_ERR_TMPL, "fs"))
+	end
+end
+
 local function discoverAndReadScript(filePath: string): string
 	local scriptContents: string
 
@@ -66,67 +91,51 @@ local function sandboxPrint(...: any)
 	DEFAULT_PRINT(`---------------------------------------`)
 end
 
-local function sandboxedRequire(path: string)
+local SANDBOXED_LUNE_STD_LIB = {
-	if path:find("@lune") then
+	["@lune/fs"] = setmetatable({}, {
-		local module = path:split("/")[2]:gsub("%s", "")
+		__index = constructProtectedLibMt("fs"),
-
+	}),
-		if module == "net" or module == "fs" or module == "process" or module == "roblox" then
+	["@lune/luau"] = luau,
-			local allow: boolean =
+	["@lune/process"] = setmetatable({}, {
-				stdio.prompt("confirm", `allow {SANDBOXED_ENV.debugName} to access {module}?`)
+		__index = constructProtectedLibMt("process"),
-
+	}),
-			if allow then
+	["@lune/stdio"] = setmetatable({
-				local moduleRequire = DEFAULT_REQUIRE(path)
+		write = sandboxPrint,
-
+		ewrite = sandboxPrint, -- TODO: do this
-				return setmetatable({}, {
+	}, {
-					__index = function(_, key)
+		__index = constructSandboxMt("@lune/stdio"),
-						local value = moduleRequire[key]
+	}),
-
+	["@lune/net"] = setmetatable({}, {
-						if typeof(value) == "function" then
+		__index = constructProtectedLibMt("net"),
-							if module == "roblox" and key == "getAuthCookie" then
+	}),
+	["@lune/roblox"] = setmetatable({
+		getAuthCookie = function(...)
 			local allowAuthCookie: boolean = stdio.prompt(
 				"confirm",
 				`allow {SANDBOXED_ENV.debugName} to access your .ROBLOSECURITY token?`
 			)
 
 			if allowAuthCookie then
-									return value
+				local getAuthCookie = constructSandboxMt("@lune/roblox")({}, "getAuthCookie")
-								end
+				return getAuthCookie(...)
 			end
 
-							return function(...)
+			error(
-								warn(`{SANDBOXED_ENV.debugName} invoked {key} with args {...}`)
+				`{SANDBOXED_ENV.debugName} attempted to access .ROBLOSECURITY token even when denied`
-								return value(...)
+			)
-							end
-						end
-
-						if module == "process" and key == "args" then
-							return processArgs
-						end
-
-						return value
 		end,
-
-					__tostring = function()
-						return stdio.format(moduleRequire)
-					end,
-				})
-			end
-
-			error(`{SANDBOXED_ENV.debugName} tried to access disallowed library {module}`)
-		end
-
-		local otherModule = DEFAULT_REQUIRE(path)
-
-		if module == "stdio" then
-			return setmetatable({
-				write = sandboxPrint,
-				ewrite = sandboxPrint,
 	}, {
-				__index = otherModule,
+		__index = constructSandboxMt("@lune/roblox"),
-			})
+	}),
-		end
+	["@lune/serde"] = serde,
+	["@lune/task"] = task,
+}
 
-		return otherModule
+local function sandboxedRequire(path: string)
+	local module = SANDBOXED_LUNE_STD_LIB[path]
+
+	if module then
+		return module
 	else
 		local contents = discoverAndReadScript(path)
 
@@ -135,8 +144,6 @@ local function sandboxedRequire(path: string)
 	end
 end
 
-
-
 SANDBOXED_ENV.environment.require = sandboxedRequire
 SANDBOXED_ENV.environment.getfenv = sandboxGetfenv
 SANDBOXED_ENV.environment.setfenv = sandboxSetfenv

modules/test.luau

@@ -1 +0,0 @@
-print(require("@lune/roblox ").getAuthCookie())

pages/getting-started/5-security.mdx

@@ -26,11 +26,14 @@ Copy the source below and place it in a file named `sandbox.luau`:
 local fs = require("@lune/fs")
 local luau = require("@lune/luau")
 local process = require("@lune/process")
+local serde = require("@lune/serde")
 local stdio = require("@lune/stdio")
-local processArgs = table.clone(process.args)
+local task = require("@lune/task")
-local filePath: string = table.remove(processArgs, 1) or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]")
+
+local processArgs = table.clone(process.args)
+local filePath: string = table.remove(processArgs, 1)
+	or error("usage: lune run sandbox [SCRIPT_PATH] -- [ARGS]")
 
-local DEFAULT_REQUIRE = require
 local DEFAULT_PRINT = print
 local SANDBOXED_ENV = {
 	debugName = filePath,
@@ -43,6 +46,28 @@ local SANDBOXED_ENV = {
 	},
 }
 
+local PROMPT_MSG_TMPL = `allow {SANDBOXED_ENV.debugName} to access %s?`
+local DENIED_ERR_TMPL = `{SANDBOXED_ENV.debugName} tried to access disallowed library %s!`
+
+local function constructSandboxMt(requirePath: string)
+	return function(self, key)
+		local module = require(requirePath)
+		return module[key]
+	end
+end
+
+local function constructProtectedLibMt(libName: string)
+	return function(self, key)
+		local allow: boolean = stdio.prompt("confirm", string.format(PROMPT_MSG_TMPL, libName))
+
+		if allow then
+			return constructSandboxMt(`@lune/{libName}`)(self, key)
+		end
+
+		error(string.format(DENIED_ERR_TMPL, "fs"))
+	end
+end
+
 local function discoverAndReadScript(filePath: string): string
 	local scriptContents: string
 
@@ -91,67 +116,51 @@ local function sandboxPrint(...: any)
 	DEFAULT_PRINT(`---------------------------------------`)
 end
 
-local function sandboxedRequire(path: string)
+local SANDBOXED_LUNE_STD_LIB = {
-	if path:find("@lune") then
+	["@lune/fs"] = setmetatable({}, {
-		local module = path:split("/")[2]:gsub("%s", "")
+		__index = constructProtectedLibMt("fs"),
-
+	}),
-		if module == "net" or module == "fs" or module == "process" or module == "roblox" then
+	["@lune/luau"] = luau,
-			local allow: boolean =
+	["@lune/process"] = setmetatable({}, {
-				stdio.prompt("confirm", `allow {SANDBOXED_ENV.debugName} to access {module}?`)
+		__index = constructProtectedLibMt("process"),
-
+	}),
-			if allow then
+	["@lune/stdio"] = setmetatable({
-				local moduleRequire = DEFAULT_REQUIRE(path)
+		write = sandboxPrint,
-
+		ewrite = sandboxPrint, -- TODO: do this
-				return setmetatable({}, {
+	}, {
-					__index = function(_, key)
+		__index = constructSandboxMt("@lune/stdio"),
-						local value = moduleRequire[key]
+	}),
-
+	["@lune/net"] = setmetatable({}, {
-						if typeof(value) == "function" then
+		__index = constructProtectedLibMt("net"),
-							if module == "roblox" and key == "getAuthCookie" then
+	}),
+	["@lune/roblox"] = setmetatable({
+		getAuthCookie = function(...)
 			local allowAuthCookie: boolean = stdio.prompt(
 				"confirm",
 				`allow {SANDBOXED_ENV.debugName} to access your .ROBLOSECURITY token?`
 			)
 
 			if allowAuthCookie then
-									return value
+				local getAuthCookie = constructSandboxMt("@lune/roblox")({}, "getAuthCookie")
-								end
+				return getAuthCookie(...)
 			end
 
-							return function(...)
+			error(
-								warn(`{SANDBOXED_ENV.debugName} invoked {key} with args {...}`)
+				`{SANDBOXED_ENV.debugName} attempted to access .ROBLOSECURITY token even when denied`
-								return value(...)
+			)
-							end
-						end
-
-						if module == "process" and key == "args" then
-							return processArgs
-						end
-
-						return value
 		end,
-
-					__tostring = function()
-						return stdio.format(moduleRequire)
-					end,
-				})
-			end
-
-			error(`{SANDBOXED_ENV.debugName} tried to access disallowed library {module}`)
-		end
-
-		local otherModule = DEFAULT_REQUIRE(path)
-
-		if module == "stdio" then
-			return setmetatable({
-				write = sandboxPrint,
-				ewrite = sandboxPrint,
 	}, {
-				__index = otherModule,
+		__index = constructSandboxMt("@lune/roblox"),
-			})
+	}),
-		end
+	["@lune/serde"] = serde,
+	["@lune/task"] = task,
+}
 
-		return otherModule
+local function sandboxedRequire(path: string)
+	local module = SANDBOXED_LUNE_STD_LIB[path]
+
+	if module then
+		return module
 	else
 		local contents = discoverAndReadScript(path)
 
@@ -160,8 +169,6 @@ local function sandboxedRequire(path: string)
 	end
 end
 
-
-
 SANDBOXED_ENV.environment.require = sandboxedRequire
 SANDBOXED_ENV.environment.getfenv = sandboxGetfenv
 SANDBOXED_ENV.environment.setfenv = sandboxSetfenv